0bcbe6167f0bf8938d5f44e947f4fc26acec8e95774725900e9b8b42f31888a7

Analysis

max time kernel
120s
max time network
120s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
03/09/2024, 14:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e1953d89d763e974d45868a4f048e580N.exe
Size

3.4MB
MD5

e1953d89d763e974d45868a4f048e580
SHA1

c4e4d3c3c6d5252f647de5cbc02cbedaaea6518b
SHA256

0bcbe6167f0bf8938d5f44e947f4fc26acec8e95774725900e9b8b42f31888a7
SHA512

4aadaffb592456810e6e2b20ddb7a0a46dfce09e40d0b5fbb644b3d1cd3bcdbe576563ca2bb8662a5200e2e20ab1dca4aa38e519101504964cb80b02c37d04d4
SSDEEP

49152:9DOOqxekIwZbn005yZL8BFi0fXpn3pL/+9hBZhOh5PSSNPigdyPpQul+Lupy0yDq:adn5etNCWQu3pynD527BWG

Score

7^/10

persistence privilege_escalation spyware stealer

Malware Config

Signatures

Executes dropped EXE 22 IoCs

pid	Process
4972	alg.exe
1976	elevation_service.exe
232	elevation_service.exe
1700	maintenanceservice.exe
964	OSE.EXE
2320	DiagnosticsHub.StandardCollector.Service.exe
4624	fxssvc.exe
3080	msdtc.exe
1980	PerceptionSimulationService.exe
1536	perfhost.exe
4196	locator.exe
3536	SensorDataService.exe
1732	snmptrap.exe
4400	spectrum.exe
212	ssh-agent.exe
4908	TieringEngineService.exe
1596	AgentService.exe
4772	vds.exe
4392	vssvc.exe
3508	wbengine.exe
1336	WmiApSrv.exe
4556	SearchIndexer.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops file in System32 directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\SensorDataService.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\spectrum.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\ce63b077696f5a03.bin	alg.exe
File opened for modification	C:\Windows\System32\msdtc.exe	elevation_service.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\vds.exe	elevation_service.exe
File opened for modification	C:\Windows\System32\alg.exe	e1953d89d763e974d45868a4f048e580N.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\msiexec.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\locator.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\vssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\AgentService.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbengine.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\wbem\WmiApSrv.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SearchIndexer.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\dllhost.exe	elevation_service.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	elevation_service.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\maintenanceservice.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_86171\javaw.exe	alg.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\jp2launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\default-browser-agent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\ssvagent.exe	elevation_service.exe
File opened for modification	C:\Program Files\Mozilla Firefox\uninstall\helper.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ExtExport.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\pack200.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Google\Update\1.3.36.371\GoogleUpdateCore.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javacpl.exe	elevation_service.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\orbd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jinfo.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\keytool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\rmid.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jjs.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\arh.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javapackager.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jps.exe	elevation_service.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\schemagen.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	alg.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\uninstall.exe	alg.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	alg.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\reader_sl.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstatd.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\servertool.exe	elevation_service.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Eula.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	alg.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmic.exe	alg.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\javaw.exe	alg.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	elevation_service.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	elevation_service.exe
File opened for modification	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\plug_ins\pi_brokers\64BitMAPIBroker.exe	elevation_service.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	alg.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	elevation_service.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 1 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	e1953d89d763e974d45868a4f048e580N.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\Registry\Machine\HARDWARE\DESCRIPTION\System\CentralProcessor\0	TieringEngineService.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	TieringEngineService.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\notepad.exe,-469 = "Text Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{4EFE2452-168A-11D1-BC76-00C04FB9453B}\Default MidiOut Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-184 = "Microsoft PowerPoint Macro-Enabled Design Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-131 = "Rich Text Format"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-140 = "Microsoft OneNote Section"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\windows.storage.dll,-10152 = "File folder"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-34583 = "Saved Pictures"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9902 = "Movie Clip"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-123 = "Microsoft Word Document"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9934 = "AVCHD Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-912 = "HTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\wshext.dll,-4802 = "VBScript Script File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\msinfo32.exe,-10001 = "System Information File"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9932 = "MP4 Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-194 = "Microsoft Excel Add-In"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{01BE4CFB-129A-452B-A209-F9D40B3B84A5} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000a462e18b0efeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9909 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.mht	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\mshta.exe,-6412 = "HTML Application"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-8 = "Microsoft Malayalam to Latin Transliteration"	SearchIndexer.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-177 = "Microsoft PowerPoint Macro-Enabled Slide Show"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-103 = "Microsoft Excel Macro-Enabled Worksheet"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9925 = "MP3 Format Sound"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aifc\OpenWithList	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9935 = "MPEG-2 TS Video"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9911 = "Windows Media Audio shortcut"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Multimedia\ActiveMovie	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-914 = "SVG Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\System32\ieframe.dll,-913 = "MHTML Document"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-2 = "Microsoft Script Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\MPEG2Demultiplexer	SearchFilterHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-142 = "Microsoft OneNote Table Of Contents"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.aiff\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\C:\Windows\system32,@elscore.dll,-1 = "Microsoft Language Detection"	SearchIndexer.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My	SearchFilterHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E2FB4720-F45F-4A3C-8CB2-2060E12425C3} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000d682838c0efeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-102 = "Microsoft Excel Template"	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-121 = "Microsoft Word 97 - 2003 Template"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\unregmp2.exe,-9914 = "Windows Media Audio/Video file"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.svg	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{3DBEE9A1-C471-4B95-BBCA-F39310064458} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 010000000000000042dc998b0efeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{A38B883C-1682-497E-97B0-0A3A9E801682} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000f0a09e8b0efeda01	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{5383EF74-273B-4278-AB0C-CDAA9FD5369E} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 0100000000000000c1c5e38b0efeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@windows.storage.dll,-21824 = "Camera Roll"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{C120DE80-FDE4-49F5-A713-E902EF062B8A} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000006b62008c0efeda01	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Windows\system32\cabview.dll,-20 = "Cabinet File"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wvx\OpenWithList	SearchProtocolHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-113 = "Microsoft Excel Binary Worksheet"	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-174 = "Microsoft PowerPoint Presentation"	SearchProtocolHost.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{33154C99-BF49-443D-A73C-303A23ABBE97} {886D8EEB-8CF2-4446-8D02-CDBA1DBDCF99} 0xFFFF = 01000000000000007aefac8b0efeda01	SearchProtocolHost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\ActiveMovie\devenum 64-bit\{E0F158E1-CB04-11D0-BD4E-00A0C911CE86}\Default DirectSound Device	SearchFilterHost.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26\52C64B7E\@C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\Office16\oregres.dll,-170 = "Microsoft PowerPoint 97-2003 Presentation"	SearchProtocolHost.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1976	elevation_service.exe
1976	elevation_service.exe
1976	elevation_service.exe
1976	elevation_service.exe
1976	elevation_service.exe
1976	elevation_service.exe
1976	elevation_service.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
660	Process not Found
660	Process not Found

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	3956	e1953d89d763e974d45868a4f048e580N.exe
Token: SeDebugPrivilege	4972	alg.exe
Token: SeDebugPrivilege	4972	alg.exe
Token: SeDebugPrivilege	4972	alg.exe
Token: SeTakeOwnershipPrivilege	1976	elevation_service.exe
Token: SeAuditPrivilege	4624	fxssvc.exe
Token: SeRestorePrivilege	4908	TieringEngineService.exe
Token: SeManageVolumePrivilege	4908	TieringEngineService.exe
Token: SeAssignPrimaryTokenPrivilege	1596	AgentService.exe
Token: SeBackupPrivilege	4392	vssvc.exe
Token: SeRestorePrivilege	4392	vssvc.exe
Token: SeAuditPrivilege	4392	vssvc.exe
Token: SeBackupPrivilege	3508	wbengine.exe
Token: SeRestorePrivilege	3508	wbengine.exe
Token: SeSecurityPrivilege	3508	wbengine.exe
Token: 33	4556	SearchIndexer.exe
Token: SeIncBasePriorityPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeTakeOwnershipPrivilege	4556	SearchIndexer.exe
Token: SeDebugPrivilege	1976	elevation_service.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4556 wrote to memory of 2168	4556	SearchIndexer.exe	121
PID 4556 wrote to memory of 2168	4556	SearchIndexer.exe	121
PID 4556 wrote to memory of 3368	4556	SearchIndexer.exe	122
PID 4556 wrote to memory of 3368	4556	SearchIndexer.exe	122

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\e1953d89d763e974d45868a4f048e580N.exe
"C:\Users\Admin\AppData\Local\Temp\e1953d89d763e974d45868a4f048e580N.exe"
1⤵
- Drops file in System32 directory
- Event Triggered Execution: Netsh Helper DLL
- Suspicious use of AdjustPrivilegeToken
PID:3956

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Suspicious use of AdjustPrivilegeToken
PID:4972

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1976

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:232

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:1700

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:964

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:2320

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:2436

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4624

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3080

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:1980

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:1536

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:4196

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:3536

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:1732

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4400

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:212

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:4040

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious use of AdjustPrivilegeToken
PID:4908

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1596

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Executes dropped EXE
PID:4772

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4392

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Executes dropped EXE
PID:1336

C:\Windows\system32\SearchIndexer.exe
C:\Windows\system32\SearchIndexer.exe /Embedding
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4556
- C:\Windows\system32\SearchProtocolHost.exe
  "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
  2⤵
  - Modifies data under HKEY_USERS
  PID:2168
- C:\Windows\system32\SearchFilterHost.exe
  "C:\Windows\system32\SearchFilterHost.exe" 0 912 916 924 8192 920 896
  2⤵
  - Modifies data under HKEY_USERS
  PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
ec468b289ab004769b036d5b6268e384

SHA1
15ce6ff7ad006da7b3f3439192e5a21851cc6ba8

SHA256
546f8a2318df4ff66883ea433235b7ab21269b6218042b4771635047ed37bf7d

SHA512
92cec76af62d6032cf5508712fe6a3e41a987af92b721f6370b95d114e14f0f8979982a7d7e90fa5de5f1855ef9b3c235ea6cbf7b56462359b3b80c1e691c889

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
1.4MB

MD5
30421bb68fadf94e74acc8e36a67192d

SHA1
ecf41c6b13ce21a7e64811aef8a2f141da392be3

SHA256
759ea630258e3d5ddbace3358e312ec9e60804e0fedab8793b11d4728e7ff7d4

SHA512
06cb5b9675c22fb7b82b2f78def1c0d6f7359c096072044b02fd45cba759bc5e746e22d4351fb6504e450d102c38f38d4a112d116b33139fa3d52ac578d97984

Download Submit
C:\Program Files\7-Zip\7z.exe

Filesize
1.7MB

MD5
3810a40838255d49648209132716ee73

SHA1
e50380afcc1b4fa66069709f4e179c9bbeea87e7

SHA256
f3588b24e5acaf7e635643e5b0eb54c3f2b2a5d4f96691e6604e456162ebbfdc

SHA512
9220a799e8fe4c723fa3a8e14d4bc0f6c8751816774c10298f5d014f86c5834fe42998d3f3e30679da6507e65d959eec64409bf4b35fe098b0391a6e462299ef

Download Submit
C:\Program Files\7-Zip\7zFM.exe

Filesize
1.5MB

MD5
92a0f582dfc845d015bbdef0c3b793fc

SHA1
530e372c390bbe7ba0be48638397898bc66fd979

SHA256
6a692d017e687b6563feb2e945c804a15fd95407985cc20e0f88136daa678c92

SHA512
c66af725788bd4f3b79cec7eec022e4bd805cf35341110f9e492ab226c3a72db46f28cbc4089c77802fa955bc6d477e2f00e09263116bb17a9541001252d7c42

Download Submit
C:\Program Files\7-Zip\7zG.exe

Filesize
1.2MB

MD5
299ff063ac35007d800b29cfef268feb

SHA1
877cc4708289d5ae5e101153a78d28d2dd4cfffb

SHA256
47cd140de31305c9b10c08907e027510fb125078df79a9bafd8d1424b281ae2b

SHA512
3f066ca41fa84f337da86d8f860e5dcf83c1b3bc0118736667775d2b6d8e355ca2a52dae4338684bede592c40adc0ac2756386fcf7f2e76c4ca0cdeeaaadaf98

Download Submit
C:\Program Files\7-Zip\Uninstall.exe

Filesize
1.2MB

MD5
0a0b20781f6fa288607af63d2fac25f3

SHA1
8c20587f9d096120d7f37a518681a0e7b609a1c0

SHA256
c50116f4b82048f8542f38dea4875ceb271ea554d7f658eec7eb36046e4c1196

SHA512
47e062c2da6e4d1b70489f6a266d9c09f238db5425887a812ee79410903c10b5e7d15b0f49ffe431301373d60814028db66965d1f22a94022e55faf24eaea111

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

Filesize
1.4MB

MD5
13860f67993896004e5b69b395ef75e2

SHA1
bed01566b3d0a9d2e2c2e09d990a481ed448a8d3

SHA256
8989f71ca1d202bfb5e08a5f8749c76f1dcc9a74a6b24f575db36cdf1fb4edf0

SHA512
601ce386c9b00f37750a81b3c8c9621eb7c9ac33c5356c8b97d55d92cf1ca45fd92ec45f6693fe7cd7bc2a097f57f261f85d4b66b648215fdea85eb9b1bd3eb8

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

Filesize
4.6MB

MD5
7613029cb54bfb528587d7900d1d3b14

SHA1
270c28ff699a4a7cabc494db5c71356985995db7

SHA256
1313225caab05a830628ec37ebde4da1e491cd87ee19c27559c09d7ac3b4df0f

SHA512
80e80f705fbf1c03746b557e1bd2261bad20e51874726a29233258f21be618da57bffc2aed4896dd242d65affb51059a2ba76080cfacd1a352ff6e9f1c2fdf43

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

Filesize
1.5MB

MD5
c177b336807b35cb00a0a9f95b64aa22

SHA1
61aad014fe2e243205d4d21e82c6ad88efcdcab7

SHA256
5caebdd0c33b6bb69e669210227400ff324ae3116b3c83f09907411c4b9db675

SHA512
430a1d5a79a80fb4daa051f10c4a1ca23d99b7ed7d6e7bfdc26cecf391baeffcd77f7cf8ea7315558696ee82a29eca91fdb82b303da80d920cc351aa737e53e3

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

Filesize
24.0MB

MD5
1eb0ebe44ab1489ef8effe76f0fae3f1

SHA1
2e50862a0e19780d4673c1f745a4645c4a85c4cf

SHA256
902703a7dc7ca785af076ecb21a833bc0db8dfbaf5a2f23579ea15b45e2f2c18

SHA512
b5547ea7f5ecdfbcce42f898f77bae68c2efffbfa7c05a88d4f75d76326d5397482458ff9bdc2f4605a8346300774805dc2c7c33039184636bb198a907894627

Download Submit
C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

Filesize
2.7MB

MD5
8e70a3bf2b62d544e21b7f0ce7246a3e

SHA1
9f2b9f2004fd0e272e3a59d399da9e1a4a30ac5f

SHA256
a2ced554e4fac930eba20c3b424adbcb05cb113224094944fff7a386195ce0b0

SHA512
e8c8a47816c3d58ba7438e065382817fe77d15570f9f1dba85a58ed4c2d698d2ca41a1b25757eabe7ac9e65c16c7a5a13bb51902c3397febf2e7b402a8e2c53a

Download Submit
C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE

Filesize
1.1MB

MD5
a29bfa09d49e9614519cc18c2d239213

SHA1
fbf0a07da1a96ff7e8daeda01351592bbc674df4

SHA256
c04b0c1d5805078a364a773507f80fb96385c24e55663b43c19ff3ad155c369d

SHA512
cc3b5af4a920accfbbe56bb0d2ad1173aed047ae0315e4baf2e52e6f80a33c98aa7ecb4f7c412d232556f5d178f7eb4b10e09c369aa6cb4b7c312bd257a0f1e4

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
1.4MB

MD5
304a45edb211d3cf3b937efd712df49f

SHA1
76eae0a5811b6951dfb34b96afb2d58110a6048d

SHA256
87041d3d9bd873360d4cda295bcaa00835b766d6ee27cb2faa622b432badf010

SHA512
9a3f4c8da0c9fbaea94bea936496e26c0b4442f4451cbeefc6900dd4928ad7ba15b45d4aff1004875ce9e69a5e3d3e6d22727e371e4b55951ae53745eded42af

Download Submit
C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe

Filesize
1.3MB

MD5
037734ce2aa322245a5c4ac579d77f53

SHA1
1bfc9c45cceda6f0c9507a069663e850edbd8386

SHA256
62e84553d5f96d9cbd5de07ed10fee437c2e4652c8837a8ffec627642c8803d4

SHA512
2cbf9f78ee397e31caf47b2f35289c1069a7612d78f308235dbf759c0c64afdeca64fef628fad1f0d10c22e7cf261a976ae0bce29ce369d7646f67f28aad77f7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe

Filesize
4.6MB

MD5
25cc649f7e5d2d825864fa3bd9024109

SHA1
5277e117975e7b3d7ecf440ca9f276609a4f0078

SHA256
5e11d9dfc77a9f3690cf4ef029d8ff373e6be9d6c3279de962558588bae9c94e

SHA512
d0c59f6b15514e6f2e12e4d2798f01dd8809439554c31efaf7781c1a050a1710542e16b37d678cfe1058cd726d7172163bdbc98feb5d71958d09fb0d2432b2f0

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe

Filesize
4.6MB

MD5
1c6a8a22a8ff0be40279b4895ba1c027

SHA1
ea1a9110023e001564139ca8323bb8354281c353

SHA256
45777e4fab10153c2059b1fadd53bf41c6f169257b38fee16027030704447e12

SHA512
7dcd166ac7ca576e450235357f65fe00a4e01e1ce2aa72b8640566217316565de86f4210f1a33df8a1c854e7fa53ae4dc6e2233b6559b3425b72028d97405ab6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe

Filesize
1.9MB

MD5
097b788256eff4149a76128aaf65f98d

SHA1
d19bc6dd49bd2e4a2d6378948fdcd5a0eaad6317

SHA256
34bfd75086c76c47006e0fd37953fc47878fa48754237075eec8377b420ec1b8

SHA512
304a7076363f3d9c40c775c8977d29d90c256f4341fe8fb8527ca734d6461965cc487b98f32fbcd887dae842102d0ba53a804800cba7357cf709cb67c8c2a595

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
dfb3f547df14d68ce4f9558591afea8d

SHA1
d4edc6536064bf3cffb523e238e9ca2820b5609c

SHA256
8973a396f3f7143e1dfa2dc903b5c1c62302e74d9fd6f9a871079f2e12a16e6e

SHA512
70f4e3f47398745e0ae1d07f70d7effbbd344b36cc0ec04263c16bbca20dd138333f3fa64fc0fe4a63712487e5617e9036e303e44eaa12b5897272f0af4368de

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe

Filesize
1.8MB

MD5
a5b8f2160bb9e969bcce57ef49e8a865

SHA1
3c15f3a2f7c20bf810e2119a16433451a09d84a7

SHA256
d337683fdb729c999ee81d2d6ac77f707c9eaa8fc65a752ab310ee9a524b7e58

SHA512
70e9fb35dbeaf3a41d500600716a62923f513c82edb3fffbf83e6f76e91020b3bbcf11a5073a3df9765d5befb063ee46a0f3d95b2f24332a40723d068a655a31

Download Submit
C:\Program Files\Google\Chrome\Application\chrome_proxy.exe

Filesize
1.6MB

MD5
b6f874b7815cb329d6e29738d9cd13d8

SHA1
37babf63edb35e3b5145a0758bc1834f93d43a2d

SHA256
079e837fdb1e6c114617a6939e50045ba3b1f560cede7de39c2e5cf927e48dc4

SHA512
de6e0a46da4b1c68fbe55d6f8423bce9ba7547a43dcbf16c15a89af9815c49c2647a5fd2d5252eea09eb8711fd2ccf57c72a3f8cc56d8c833ecfb582d6e1127b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe

Filesize
1.2MB

MD5
170294d3976dded404e0f9675562da2a

SHA1
aa8e84f07ec74d83c4e5a07765ccbfc5ddafa0a1

SHA256
659fde27868f67a41bcb3f06cdf0b7c2c92aaf71471c58355272ce844601f5e5

SHA512
480a97967c8388c2c007270ee39f9811784b0f87054cd878ad9a56a51170985e2de29cf0de104adcf4c6b54a5ec5422b0c410b7eccb8b081aacb9678b5289507

Download Submit
C:\Program Files\Java\jdk-1.8\bin\extcheck.exe

Filesize
1.2MB

MD5
f5c48b5d990ce9dff41042f0f51cdac0

SHA1
5c56c6be573820917d71f7b3dbb48919927d4709

SHA256
a26874dd8c1aa0fda248e753194595a823136fb6046271e7efa5ecdeb0f92513

SHA512
466559d28e622d3f83fc85feb6ba4219a7c94c7d26b92697fc699bcb2a0b233b0096d5cb885a3a8c73011bd03bcd7f767a2a58105aa62277372e0bf2e476d34d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\idlj.exe

Filesize
1.2MB

MD5
efb8e3aa49c2c8a0d2a84cde6bd7eaa4

SHA1
16c704bbf0e43c6068a97e8f6e1cc393f29f9c26

SHA256
475593acd9e5d996cd222a75d87edc3b932906e6bb9ee0527df7d8897e07b54b

SHA512
bba4b1f9ff116e26d59dfd565fce473105505bda794fcecc3b5646c4de42e748c12d8489e6f98e7a4227b3d49abf32a84cc6608e5e948bcb6e821dfda5c855ea

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe

Filesize
1.2MB

MD5
7077858047017b7096283c735e8d1cfa

SHA1
714e6d242d2331634d2311cc9415c1d6c5f62aec

SHA256
e9351362f1881fde96fa292b56d9cd0ad5a4925a3356bf6a3b9dbb9d103ce8c9

SHA512
c35788bc0dea756791e68fadb60ffc86ba222d87bab1eb7ff0482bdc0c9ac0f3c828cda56470d9cc2cdc690ace6195f22f06eaafe434f4f5423d973c5e014243

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jar.exe

Filesize
1.2MB

MD5
4b69ae65b0b72d9fd1105f50434d06a1

SHA1
37499dc8528295d459a04dbd753bf36625c5ca23

SHA256
dfb485cec7e18322fff0ea1ee53497a55c136ed037235c99dda7ad3d2fd1c79d

SHA512
ae7314858abbcbad95b995dc2a38de54058d777db7e6980a2ca2feaf2eabb7835735b7f44d44e8f033ef25393d8fa2748c54aba083b84c6d246dbc3e4f8a09a3

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe

Filesize
1.2MB

MD5
23cdeddb64455f4a1312bbafb9eff2ea

SHA1
c972ef22703c1d1a2989584be40d15b73bf705e0

SHA256
2470d13ac7f489522d012f21afa3effe1e750df594904c743523ec9d2234780c

SHA512
c385bbb93b8c2c48f7c06f77d6e22d7316461a73cf6792afce216a3412399b2ee2c14680f9e0cca1b04fcebbf6d8306439e6b65fe7ebdbca6e686c58a03ebe74

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe

Filesize
1.2MB

MD5
98b3bf36b566b667017924f8d0e2cf80

SHA1
46359cf7c548bce39aa276132c7b4deda247526b

SHA256
76d9033e19b4edfde5b18d48c4b0360548b41d558b062e0e84605026aadbaef9

SHA512
2a075e809f85661c63d2890041e99659fcd199139493fd274f4caba25bf8c2fe7343fc08d232426f9f8c17d8539261fd569794ebf25befc1a6029b445b8071bf

Download Submit
C:\Program Files\Java\jdk-1.8\bin\java.exe

Filesize
1.4MB

MD5
356289d95f136f978dc08a8736111994

SHA1
ee9dde8207005ee3da8dd2c633774d11982f0945

SHA256
a335b76fa2dd6b295d0b0fdf07f7d0f1bb6cb5b137c9cb956da8705ae99b8214

SHA512
c693e47583c53c7ab236e79473807cb95b12ef20b4c159c1f26fb96d46e109b1987a13f2c0fab1b3cd6fd53c6a3c6e825dffdfab40c72969728e56f7ed4903f1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javac.exe

Filesize
1.2MB

MD5
3c6715c50b423e0d867c8658f91a2dab

SHA1
aeb111b75a4b295473514da3819d14da3d74c608

SHA256
ea60aaf6e05974ad0fd499acb8415f8899ad1d694dcab0829db147bee23b7810

SHA512
41cdbbcdf0fc7ec0831cbeced9983ee8d9ac34d8c97453d19e8419dcc98d1335ab04519d22841a13af74c6377fa5b5f83fe429b0acb24d3f2209de856c32ce76

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javadoc.exe

Filesize
1.2MB

MD5
74a90e67785dbff57ae0a8498880a6bd

SHA1
e095a34cc6833f565e5c2a1da43928c22c9ec26d

SHA256
42ddae608c337e3710780c525c528f6af32cd7a425aeaa988339964b5f216ad0

SHA512
60229910af1efaaae82e0cc510e9923f0ddea4a586f2017d016b608e0a4a6055901eb3b2add79b6cab1af50b9674a774fa41f0cfa58a9d16f676bd2d60721466

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe

Filesize
1.3MB

MD5
e5ec068b10c5a4b062ba927788bc21b0

SHA1
e68f44b7d98049fe26b9a7a674457526416c88c7

SHA256
7b625f7c691acf1e926628667c1c770ee00aeb852082ee6f33b9e409fdbf7fac

SHA512
bf79647d9aed984dd4e783f79806af657ec43a2a455f7780f0e178b36d0eea09e6a57bf3dc3d932c72d1faea62561a95cd22fc74bab27855bffad0187fbc1fc1

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javah.exe

Filesize
1.2MB

MD5
d1e264cb63cf61a8a402ee62e5b72596

SHA1
97b4b3670f536155d47b5fcc08f11ec7b6c5bdaa

SHA256
44883921e4e24b1d04b01218222e2c8f7a10ac242cb8c1bf92b0abc35564a8c8

SHA512
d183758eb99060e42d35a5f7d0c02f1ecc21b679b36c77d3b29930ce6761fa6c5bf246d62e8d8df198d8bf4d08a00075aa9cb481bde654733e728b7ebdbe1d64

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javap.exe

Filesize
1.2MB

MD5
6a481bcaba6187eb315f24140aa4d10e

SHA1
065876c64990c3c954706809745cec0fa3c1ee29

SHA256
93663fa822d9201f938540c50e689d1ff97b497f4685aebbaae6dc56171de614

SHA512
58d1530f1aa40802b4c2c6f4dce50044139517ba3a1b70eb70c14c2baad4575dbd3a56c68e8a765ae3882ad22140dab7afcae0649dfe52a63a751db0e42ab8c2

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javapackager.exe

Filesize
1.3MB

MD5
acc337077070e52877c5234a242ca0f5

SHA1
66bd4ba316dde7314639e127f61d981a91e11b38

SHA256
67ace1e83c19b1107d01daaceb3f9f1ae76b9908449fd02221cc785f603089ca

SHA512
cadc82b4e9da81b4c44abd02cb039f3875d7fb989a1c87de5cefc95ee7856e56474f7fe5044b6cd8cb3df529b12e8c3e44ce25589d36181a8c09a14929d801e9

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaw.exe

Filesize
1.4MB

MD5
56e290ce865d50e58d32e732239d9231

SHA1
df2b442ff965839a8d357eb4ffb71b397212a7c6

SHA256
c6105b9b2fb4ba8c0a3dbaeb1be96b9ade27e8b0b6ccc05a31181df225ff7a3b

SHA512
30eca2ab4ffe9b050ef68cfa8f9a69870d658d807b8c3cafe703492f39bb9c7fa33a08760d453ec4221d15cd0b825e34dcab3549926cdc21151c21263e08877d

Download Submit
C:\Program Files\Java\jdk-1.8\bin\javaws.exe

Filesize
1.6MB

MD5
2dc181403305db335edfeace8da73e9f

SHA1
0566af3ad6eb49bf926355df25a7d0103e27c828

SHA256
72c06667f048d2767c133f24d44c672fad2a8af6f550bd4827f24b4836ac5c06

SHA512
77e8cf5f059d5640838b179c6953755eacb52ad24095c0219cce8da8012cd034893108245a0cba59b54560f48137de07ec324b9fc793eae8ff08460becde9d7b

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jcmd.exe

Filesize
1.2MB

MD5
eb560f9f556782216c265286eb2fb9f4

SHA1
8e6d4eb252be99e23014d642212915ae3dfcb996

SHA256
125eb0db852cd6202953cc46404c924e484a5b8f5b30af58f89ce84c45ef26d7

SHA512
f5e12b9ec0cfa49aa9b397565c8664a302430be14bcb82dcc10d18b6d227ef852fe12bf2cfad810e42accf67922d375d1a01f9800adee9d410c1e2ff56b1fc54

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jconsole.exe

Filesize
1.2MB

MD5
5dd7efc58f95f8f3695eb825c8fac365

SHA1
b5861a194850d1eb970b68afa60bf78adced036c

SHA256
3577690a47b479ee49b284277d283483f7c3e85d2e0d1fdb82ad9115bce86621

SHA512
75ea54f32fabdf6ec534ec2cb354f655ab42f95ed8352d49d89fd4b876e6747a0dc1c796aae894b4c74d59cf70548576d7478ec24d258163ea49f14a3a4dc8bc

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdb.exe

Filesize
1.2MB

MD5
a359f85581ff3da3a7e6c8cfeb633119

SHA1
117bc8f453933962e140a043468f4a36691c3829

SHA256
354c02c225cea49dd223f407f98b845332fb6b320f4e588947578cd52e5c7be5

SHA512
0141b9b178c85d70578209ff227624df75247854fb1a05612d623f8975e08cd5eb26af300885e65f0e676197f733a47c01894d8c7b210fb3210e54198827c6bb

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jdeps.exe

Filesize
1.2MB

MD5
46d60199f576bc07730c5a6c68afda87

SHA1
b46725a7a50dd4a75462135d7eb9c1a44920b9ba

SHA256
74d835443bdabd346331be1183a989186a7ab94ddf916cd077e8f731970678e2

SHA512
91c4125b609d729466df983edc75c9c448f72d6f001710b30d5af695d14d276363cd2bd1446eec920eec0658a0229f3053b47d4a60f0113d2ee67c673fa1b259

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jhat.exe

Filesize
1.2MB

MD5
fedfa9358832955d9718dbe0890b77e0

SHA1
7ca05e149b31105f1a9070897f1daa76009ebfa7

SHA256
9bd31f7e6b56137f735dfa2a188bf3f69ea9670caa88dab37b16d41351c41850

SHA512
280cb1bfc61289b6e4bb3308d86506ec510f1a3b8c7b6e47d8ca37a39d244efd755f4415d63490fdabbccfcd0116af7f43633a4f6c3fa003d971518ae3b96b16

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jinfo.exe

Filesize
1.2MB

MD5
454c0dc4d66bb4ed0a081c21cebdf9ce

SHA1
cc86db3caf1b7f79080ce14ae7566b0e6d9b02f6

SHA256
8ae044e5d2492052a4f4497b2726544249ec79164f15c5eb6ae5fba35f42a476

SHA512
da14cf1b026b1f78cc799bd02ad905e2179e505938f5673dd76730cd86617b865273fbf4046fa4513e56ec1825c030b98587bf00986c65a105314b6781f190ac

Download Submit
C:\Program Files\Java\jdk-1.8\bin\jjs.exe

Filesize
1.2MB

MD5
39ae226d675bb8e406a87e9ba1a92164

SHA1
312c64b582c231d863afe50dddf314abdcaa98b9

SHA256
a7c14fda23477873a77704eae38ac16084b6daeec5d036fcad41fb1097dde36c

SHA512
2bb7ad2dc4a9d29b46e59e8662afab97ea30b723b7d3f799d46c3d52c49afd7b08c93904e0e78595cf686acdbc771e45f94081b877c2af709a7c47edf5e652c1

Download Submit
C:\Program Files\dotnet\dotnet.exe

Filesize
1.3MB

MD5
4d57fce7e28282049f870717da4ae2d5

SHA1
00d13811ca342c7205336c8cd0e0b5333dce49be

SHA256
1183684763e096f1d1b3646b192e88a78d10ac27434a3b2b690ad0a151f9fbe9

SHA512
1e087372a3f94698e3c466fefb43b28d3f2aec826e02dfce80696a5dca51ccd01ca9ae91056c040043b1e3cbdbc985649942fba90cc0d7af26963d40955462f0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
1.2MB

MD5
ac041c01905622fc702690de4ac3dc17

SHA1
03ae60278dc6557f433b0e606d8db9889b886243

SHA256
39e321d1bad567f781cb9ef0e0623cb091d70656bed2fdcbf83bd50dfa76e09b

SHA512
dc538997fcd8713ac31e0eb1186feb9ee1398a26b656f101df6d8ac926bd487ba467176c9f6ac4c9974f2248f0ff69166f4b4774531eca45c4aff240375a7f84

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
10cf4ee8aa75f2b642c5cf28d5b0a7f0

SHA1
8f8997a6ec39479f44574b51fcf6690531a2f990

SHA256
0c94232ab03ebc3f9655027e12f39ab0d7c025e75ee1e1ce1134115177f7db03

SHA512
027b24d5b844e0f3e2cfb80af22c2cb5f5720119e142a250c2ff65695d4463725a3ac3da06984dd8ee2500da5b87b5e686d0d8a3c31b6d6aed41c8e666435217

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
1.3MB

MD5
d5fbf1c1df4efc16f60355cb0c939dc6

SHA1
e847535b7f740e84196246ce257ebd17afceca9b

SHA256
92a437ece9f75122507137d77ec67c7cd268e27c7afd279888fca19a0f7570b8

SHA512
0f3db24112d9c76391c7fc8faa592e838aef120945d0a7b3d7aa7fae0cf0ed038f5db95ab68377589e6af075624463c3b600264d2fd5db21382164d87e799cd1

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
8cb33392df0b3a689f4b23040130d748

SHA1
1fd1635a551625fe049dc3e70361710c8b5eedcd

SHA256
25abafeb4154b1df3089a89b929f8dbe2eb021c94d9bac196b6443d06c11e485

SHA512
5a43f12a5f819873bfcd10e5a48d235d3602d0a690ca8100ea5771b882713a631ac8cc9f5a673231da7072ef4de572a6949cc9e9f7acbe5c3eef041128f2739e

Download Submit
C:\Windows\System32\Locator.exe

Filesize
1.2MB

MD5
c5bea5bcd09e76d2ee8403404d30ee4d

SHA1
914dbc70bc1356e6f8718ffd4b7cbd6789af9d33

SHA256
59662483c274dab003ce8550c7c1c0f07d73ef20db0e6da353b47e261b03253b

SHA512
78a9f08211bf9628040cf3506fc04a68d8479f0644f7e8583f40ef0c72088a7e094cd6d00486eb49a944a30f3ab41ba81083a4fd0450f718bf92a6b3229cfd94

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
1.5MB

MD5
d3dc47dc7e0cd143718f658c155afafc

SHA1
bf75e2387b536fe75430ecc8a5d8324ae91fd5d4

SHA256
2b4401b40d3b1ba540f8d38592f0fa982558df7dd488248666a20517856c38a3

SHA512
ddea3e1cc298c76f65746e8e4a91ab1147904eba03ff3184a5faff3cf3c294daec0355d96847879eab90769bbf2adfc2f4920abe35d201a09f0f75e1242a852a

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
1.3MB

MD5
86a53858ecde05d682835cb915d673a0

SHA1
b563936125ecdae2f07b76a535f1d2aeba337180

SHA256
c396de1af92106558a4f79bb1b53c32eafaa18f79cec47860881ba6aa3420482

SHA512
18c78647c3af79f97f61b98d0f0c33eea72cea6c034408dc37a66a8a758a6537ca1b0b5629e7f09dbd48a4203f5f3a473267d22c9002aa4c613c5488a195b362

Download Submit
C:\Windows\System32\SearchIndexer.exe

Filesize
1.4MB

MD5
7d65baf533014c090b0a4cc32d5d67a2

SHA1
3a00b08c3d20e3112a277a7c53e2574d8a526a38

SHA256
e2f3a786850e1fcb490f29d61cfb34e09a33b02e9c6ed8f7e91329772294623c

SHA512
195113b1181c5e7e2122d8c1fb70e0a272bfc19dc913e26a8c45c25968b71e3fa10faf31483d449a642c16457ca8823988073258021b1008cdba24acd5635bfa

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
b169da31f43597b3e68f8cfa1dff594c

SHA1
dbc42f06d9561f5827e4ffa6858353209ad19088

SHA256
54dc9046192adc7f3598d086e4ce26f8f058b6015197c7d6a720196727f48514

SHA512
11d9ce55eb3128a79617896e6e3348b414b013d9f4dc836f78a725b19fe4044bf2832b59f96aeda727ec9ea4b498d67a5a7b1f5f70a390f96c05c99f0da200a0

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
80657973653417e75ae40a4c4f36fa19

SHA1
22bf3b4f009f555e24333d38607d3cc2820311a0

SHA256
af539182bcef565507069b99ea5f49929aec7b936c76a08842be5824b692f9d5

SHA512
590998b6e4c7f0efa228f995bba15027cb1b89ba7137c1cb8b4869e8a214d7120717e7b1e15b14236af8d83f3cbb431812a677af61218bef17d1b51db11bed94

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
1.5MB

MD5
cae13f276afdcb3e0873a03bce99964b

SHA1
eeda6d11345625ea18b82712dfe68bd139871e62

SHA256
0c23ab7d8936e38cf45d24586c5101d54aa20bb585087297ebc13ab28e38cc68

SHA512
6a02386d80dced75fe85a62f20a9433222f233dcfc5c0de20f89222b0a00422cbc47473ea9cf3f4bb83fb05ef50d41cca903ccc06335de86950b05cfe1a3f1ad

Download Submit
C:\Windows\System32\VSSVC.exe

Filesize
2.0MB

MD5
f9c2a8029f4b7a9d701ad55a8b904753

SHA1
0e633d6b225164bcd3ae050ba9c56eefea74da82

SHA256
fade558249e7fd3f6821717a3ab5d24c8d4f5c45cecf32f1f2ec1e91e01c9866

SHA512
4827c347852d89db0d13a4f4ec902b57fa2ef0b53153ac9205e890ab53b3a0362251f54d3707ebe434721118099b144da25e4eb8d0028905598e0b85cc712ddd

Download Submit
C:\Windows\System32\alg.exe

Filesize
1.3MB

MD5
59289b0cac57c288d30d33b7d7852b41

SHA1
ff00cb08fe3340180cf04531bf256e4c89d7c92d

SHA256
435c929ca184bf4940a76a476fd3f1c9437fe691c9e83642a3a4d11ce4c4db9c

SHA512
9bbbd34f3f0462a2657ca6bc19db6eae6e7d906e9b6f2344c3bc18f8c6cfebf8e40f400f6b3906c70a1955347d9bdf6755560dc955fadab4e65f15af71fab57c

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
1.3MB

MD5
ab8f444c65c078b991bb8781df8a14f3

SHA1
f999ea96c2e33c2a8d2161883e8f08e21fa777d7

SHA256
eb24c2de2b89fd71c528ed3a47740265f9831805172cfb3f22848ce72ba8cdc8

SHA512
7d9f9533b86b03c6a062f7ae8c63f42e6ab19ce810423e1854e60f87877bcb2ef48c9e6d8d22d9a08780839ac257f4d6f297c3c74cb031d1a9a98c61eb2ede8a

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
1.2MB

MD5
da338813c6791a89d5646f6696e4d56c

SHA1
9261c34eb4fcaf84467676b0936c4087dea4c28c

SHA256
0679f22fbd002aa65ddc8ec9f2498c129637b3fec6158e35c974a1c4a2aaaedb

SHA512
845322c8f22b7fe599ecce798bb85355026a063de98b9903f362b38d68b611b2197bb313e8ce5d9e7b6ea8f5bdb5f3b2334d521c95b7a8ada5cd51ce30b2bbb3

Download Submit
C:\Windows\System32\vds.exe

Filesize
1.3MB

MD5
ddfd0384f90c0119632a2caca22c23f4

SHA1
39b8e3087c70e87b4f9b7ce1a93cd033447ba468

SHA256
0cbfb7bc6caffead34c0ff0f3f3ad6107bf92fc3f708ce536eb37bd521672347

SHA512
c615ec54ae7645543e14baeb3d7659720257706a21670304d86750cb21c74b0b2d5bf4089b2ee8d4d321ed8d713e407cdd8752a3fc817d82fa4f5a4d646564c1

Download Submit
C:\Windows\System32\wbem\WmiApSrv.exe

Filesize
1.4MB

MD5
658c0a72f847cf2ea07f471f5ad0cc2d

SHA1
6e3ca73e1c32360847715d93036c3857db82e2cd

SHA256
4131aa3621cae7f1c5a185ff8909b35ebe8f976cb0fce48aa32b6b9f218dd32d

SHA512
ab48e8a16f4cbb88a73a66128840ffb238854fe3db8fa1a8d29480ddfd4be1e3648ff4892904c4eb460cdff1e90140a971319b5d7563d3cb1ba9376f555f706b

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.1MB

MD5
0f496d15bdfd1f4dd89896cb8e6023d6

SHA1
14811d78dc7d2dfeb86850740098813ace307802

SHA256
c6eed5019939a4c3c70cff7128901cbfb3f73979e55f00d7a2ed21a05504128e

SHA512
9d5c21cdac52ecb08483fce9c5339b2cdf9c7fc87e816ee6d1ef5b606730fd30b94b62afa41381079cefd30dac956de8008b8431711b766182d5d24d1a9737f6

Download Submit
memory/212-344-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/212-518-0x0000000140000000-0x0000000140241000-memory.dmp

Filesize
2.3MB

Download
memory/232-236-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/232-75-0x00007FF98F8B0000-0x00007FF98FB79000-memory.dmp

Filesize
2.8MB

Download
memory/232-79-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/232-48-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/232-42-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/964-80-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/964-73-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/964-67-0x0000000000830000-0x0000000000890000-memory.dmp

Filesize
384KB

Download
memory/1336-608-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1336-426-0x0000000140000000-0x0000000140205000-memory.dmp

Filesize
2.0MB

Download
memory/1536-405-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1536-295-0x0000000000400000-0x00000000005D6000-memory.dmp

Filesize
1.8MB

Download
memory/1596-367-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1596-379-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/1700-58-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1700-62-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1700-65-0x0000000140000000-0x000000014020E000-memory.dmp

Filesize
2.1MB

Download
memory/1700-52-0x0000000001A50000-0x0000000001AB0000-memory.dmp

Filesize
384KB

Download
memory/1732-329-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1732-483-0x0000000140000000-0x00000001401D5000-memory.dmp

Filesize
1.8MB

Download
memory/1976-37-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1976-40-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1976-64-0x00007FF98F8B0000-0x00007FF98FB79000-memory.dmp

Filesize
2.8MB

Download
memory/1976-31-0x0000000000C90000-0x0000000000CF0000-memory.dmp

Filesize
384KB

Download
memory/1976-235-0x0000000140000000-0x0000000140234000-memory.dmp

Filesize
2.2MB

Download
memory/1980-393-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/1980-287-0x0000000140000000-0x00000001401EA000-memory.dmp

Filesize
1.9MB

Download
memory/2320-243-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2320-249-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/2320-355-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/2320-251-0x0000000140000000-0x00000001401E8000-memory.dmp

Filesize
1.9MB

Download
memory/3080-269-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3080-381-0x0000000140000000-0x00000001401F8000-memory.dmp

Filesize
2.0MB

Download
memory/3508-605-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3508-414-0x0000000140000000-0x0000000140216000-memory.dmp

Filesize
2.1MB

Download
memory/3536-603-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3536-309-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3536-430-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/3956-14-0x00007FF98F8B0000-0x00007FF98FB79000-memory.dmp

Filesize
2.8MB

Download
memory/3956-13-0x0000000002190000-0x00000000021F0000-memory.dmp

Filesize
384KB

Download
memory/3956-2-0x0000000002190000-0x00000000021F0000-memory.dmp

Filesize
384KB

Download
memory/3956-15-0x0000000140000000-0x0000000140372000-memory.dmp

Filesize
3.4MB

Download
memory/3956-0-0x0000000140000000-0x0000000140372000-memory.dmp

Filesize
3.4MB

Download
memory/3956-16-0x00007FF98F8B0000-0x00007FF98FB79000-memory.dmp

Filesize
2.8MB

Download
memory/3956-7-0x0000000002190000-0x00000000021F0000-memory.dmp

Filesize
384KB

Download
memory/4196-417-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4196-303-0x0000000140000000-0x00000001401D4000-memory.dmp

Filesize
1.8MB

Download
memory/4392-604-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4392-394-0x0000000140000000-0x00000001401FC000-memory.dmp

Filesize
2.0MB

Download
memory/4400-332-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4400-515-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4556-431-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4556-609-0x0000000140000000-0x0000000140179000-memory.dmp

Filesize
1.5MB

Download
memory/4624-267-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4624-255-0x0000000000E60000-0x0000000000EC0000-memory.dmp

Filesize
384KB

Download
memory/4624-254-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4772-600-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4772-382-0x0000000140000000-0x0000000140147000-memory.dmp

Filesize
1.3MB

Download
memory/4908-356-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4908-551-0x0000000140000000-0x0000000140221000-memory.dmp

Filesize
2.1MB

Download
memory/4972-234-0x00007FF98F8B0000-0x00007FF98FB79000-memory.dmp

Filesize
2.8MB

Download
memory/4972-24-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4972-18-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/4972-27-0x00007FF98F8B0000-0x00007FF98FB79000-memory.dmp

Filesize
2.8MB

Download
memory/4972-26-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download
memory/4972-233-0x0000000140000000-0x00000001401E9000-memory.dmp

Filesize
1.9MB

Download